A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries.
The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code.
In the samples analyzed by the security team at DFIR.it, the malicious apps downloaded a Java-based malware named Supreme NYC Blaze Bot (supremebot.exe).
According to researchers, this appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.
All the GitHub accounts that were hosting these files --backdoored versions of legitimate apps-- have now been taken down.
The accounts that did not host backdoored apps were used to "star" or "watch" the malicious repositories and help boost their popularity in GitHub's search results.
Some of the apps and libraries for which the hacker(s) created backdoored versions include MinGW, GCC, Ffmpeg, EasyModbus, and various Java-based games.
The DFIR.it investigation into this network of backdoored apps started when researchers spotted a malicious version of the JXplorer LDAP browser.
Most users of the listed apps are safe unless they went out of their way to download the apps from outside the official websites and landed on any of the malicious GitHub repos by accident.
Malware and cyber-crime related coverage:
- Operator of eight DDoS-for-hire services pleads guilty
- Coinhive cryptojacking service to shut down in March 2019
- Hackers have started attacks on Cisco RV110, RV130, and RV215 routers
- Credit card details worth nearly $3.5 million put up for sale on hacking forum
- Linux servers targeted by new Chinese crypto-mining group
- Vulnerability exposes location of thousands of malware C&C servers
- Malware can now evade cloud security tools TechRepublic
- Cryptomining malware discovered masquerading as Flash updates CNET